Impacket is a collection of Python-based scripts designed for manipulating network protocols and exploiting Windows services. It contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks. 

Although Red teamers use Impacket for authorized testing, threat actors frequently misuse it for lateral movement, privilege escalation, and data exfiltration while remaining undetected. Its ability to mimic legitimate network activity makes detection and mitigation challenging. This strategy allows attackers to blend into normal system operations. Impacket has several modules tailored for specific attack techniques:

  • WMIexec: Executes commands remotely on Windows systems using Windows Management Instrumentation (WMI) without the need for a full remote shell, making it ideal for stealthy lateral movement.
  • Secretsdump: Extracts credentials from Windows systems by dumping New Technology LAN Manager (NTLM) and LAN Manager (LM) password hashes, even from memory or registry hives, aiding in credential theft.
  • SMBexec: Enables remote code execution over the Server Message Block (SMB) protocol, allowing attackers to bypass certain security controls while maintaining persistent access.
  • Mimikatz-like functionality: Retrieves plaintext passwords, hashes, PINs, and Kerberos tickets from Windows memory for further exploitation.

This blog post explores how to simulate realistic attacks on Windows endpoints using Impacket and demonstrates how Wazuh can monitor and detect such malicious activities.

Infrastructure

We use the following infrastructure to demonstrate the detection of Impacket with Wazuh.

  • A pre-built, ready-to-use Wazuh OVA 4.11.2. Follow this guide to download the virtual machine.
  • A Windows 11 victim endpoint with Wazuh agent 4.11.2 installed and enrolled to the Wazuh server. Refer to the installation guide to install the Wazuh agent.
  • An Ubuntu 22.04 LTS endpoint to serve as the attacker endpoint.

Configuration

Configuring the Windows endpoint

In this section, we configure the Windows 11 endpoint to forward Sysmon logs to the Wazuh server. We also enable remote administration services to facilitate the attack simulation.

Forwarding Sysmon logs to the Wazuh server

Run the commands below on the Windows 11 endpoint in PowerShell with Administrator privileges to install Sysmon and forward the logs to the Wazuh server:

  1. Download Sysmon from the Microsoft Sysinternals page.
  2. Create a Sysmon folder in the endpoint C:\ folder:
> New-Item -ItemType Directory -Path C:\Sysmon
  1. Extract the content of the compressed Sysmon file to the  C:\Sysmon folder:
> Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"

Replace <PATH> with the directory where the Sysmon.zip file was downloaded.

  1. Download the Sysmon configuration file to the C:\Sysmon folder using the PowerShell command below:
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml
  1. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon:
> cd C:\Sysmon 
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
  1. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent:
<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>
  1. Restart the Wazuh agent to apply the configuration changes:
> Restart-Service -Name wazuh

Enable remote administration services

Run the following commands on the Windows 11 endpoint in PowerShell with Administrator privileges to enable the Windows remote administration services:

  1. Set a password for your user account if you have not already done so. This step is essential for enabling password-based authentication required for remote administration. If a password is already configured, you can skip this step. Replace <WINDOWS_USERNAME> with your username and <WINDOWS_PASSWORD> with the desired password:
> net user <WINDOWS_USERNAME> <WINDOWS_PASSWORD>
  1. Enable SMB file sharing, restart relevant services, and activate Windows Remote Management (WinRM) for remote administration:
> Set-NetFirewallRule -DisplayName "File and Printer Sharing (SMB-In)" -Enabled True
> Restart-Service lanmanserver
> Enable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol" -NoRestart
> Set-Service -Name WinRM -StartupType Automatic
> Start-Service -Name WinRM
  1. Enable full administrative token access for local accounts during remote authentication to simulate lateral movement:
> Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1
  1. Enable Remote Procedure Call (RPC), Distributed Component Object Model (DCOM), and related network communication, used for remote administration in enterprise environments:
> net start RpcSs
> net start RpcLocator
> net start DcomLaunch
> New-NetFirewallRule -DisplayName "Allow RPC" -Direction Inbound -Protocol TCP -LocalPort 135 -Action Allow
> New-NetFirewallRule -DisplayName "Allow RPC Dynamic Ports" -Direction Inbound -Protocol TCP -LocalPort 49152-65535 -Action Allow

Configuring the Wazuh server

Wazuh has several out-of-the-box rules for detecting activities related to the use of Impacket. However, we write a few more rules to match the events more accurately and improve the detection confidence.

Perform the following steps on the Wazuh server to create the detection rules:

  1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file:
<group name="impacket,">
  <rule id="110010" level="12">
    <if_sid>92069,92052</if_sid>
    <field name="win.eventdata.parentimage" type="pcre2">(?i)\\wmiprvse\.exe$|\\mmc\.exe$|\\explorer\.exe$|\\services\.exe$</field>
    <field name="win.eventdata.commandline" type="pcre2">(?i)cmd\.exe \/Q \/c</field>
    <description>Suspicious remote command execution via $(win.eventdata.parentimage).</description>
    <mitre>
      <id>T1047</id>
      <id>T1021.003</id>
    </mitre>
  </rule>

  <rule id="110011" level="8">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\svchost\.exe$</field>
    <field name="win.eventdata.targetfilename" type="pcre2">(?i)\\Windows\\\\*System32\\\\*\w{8}\.tmp$|\\Windows\\\\*temp\\\\*\w{8}\.tmp$</field>
    <description>Possible attempt to dump credentials. svchost.exe created a temporary file $(win.eventdata.targetfilename).</description>
    <mitre>
      <id>T1003</id>
    </mitre>
  </rule>
</group>

Where:

  • Rule ID 110010 detects potential lateral movement using Windows Management Instrumentation (WMI). It detects the usage of Impacket WMIexec or SMBExec modules, commonly used in remote administrative tasks and offensive operations.
  • Rule ID 110011 triggers when svchost.exe creates a temporary file with an eight-character name in the C:\Windows\System32\ or the C:\Windows\Temp\ directory, indicative of the execution of the Impacket Secretsdump module.
  1. Restart the Wazuh manager service to apply the changes:
# systemctl restart wazuh-manager

Attack simulation

This attack simulation demonstrates how malicious activities using Impacket tools are performed and subsequently detected by Wazuh. In this blog post, we use wmiexec.py, secretsdump.py, and smbexec.py to execute remote commands, enumerate users, and dump credentials. Perform the following steps to test the configurations and observe how Wazuh detects these activities.

Note

Perform this only within a controlled environment.

Setup Impacket

Note

As a prerequisite, ensure that you have Python3, Pip, and Git installed on the Ubuntu endpoint.

Run the following commands on the Ubuntu endpoint to clone the Impacket repository and install the required Python modules:

# git clone https://github.com/fortra/impacket.git
# cd impacket
# python3 -m pip install .

Launch the attack

Launch the following attacks from the attacker endpoint (Ubuntu) in the directory where Impacket is located. Replace <WINDOWS_USERNAME>, <WINDOWS_PASSWORD>, and <WINDOWS_IP_ADDRESS> with the credentials of the target Windows endpoint:

  1. Execute remote commands using wmiexec.py:
# python3 examples/wmiexec.py <WINDOWS_USERNAME>:<WINDOWS_PASSWORD>@<WINDOWS_IP_ADDRESS>

Verify access by running basic Windows commands on the spawned shell:

C:\> whoami
C:\> ipconfig
  1. Dump credentials using secretsdump.py:
# python3 examples/secretsdump.py <WINDOWS_USERNAME>:<WINDOWS_PASSWORD>@<WINDOWS_IP_ADDRESS>
  1. Execute remote commands with system-level privileges using smbexec.py:
# python3 examples/smbexec.py <WINDOWS_USERNAME>:<WINDOWS_PASSWORD>@<WINDOWS_IP_ADDRESS>

You will gain semi-interactive shell access with NT Authority\System privilege. 

Confirm system access by running basic Windows commands on the spawned shell:

C:\Windows\system32> whoami
C:\Windows\system32> ipconfig

Visualize the alerts on the Wazuh dashboard

When the attack is executed against the monitored Windows endpoint, the Wazuh manager detects the activity and triggers alerts visible on the Wazuh dashboard.

In the image below, the alerts are generated from the execution of wmiexec.py. Some are triggered by in-built rules of Wazuh that flag remote logon events and suspicious Windows cmd shell activities. The alerts with rule ID 110010 provide high-confidence indicators of Impacket execution.

Detecting Impacket alerts from the execution of wmiexec.py.
Figure 1: Alerts from the execution of wmiexec.py.

The next image shows alerts with rule ID 110011 triggered by the execution of secretsdump.py. This custom rule is triggered when svchost.exe creates a temporary file. This behavior is commonly associated with secretsdump.py. Additionally, there is an alert indicating a possible pass-the-hash attack, triggered by the attacker’s login method used to perform the credential dump.

Detecting Impacket alerts from the execution of secretsdump.py.
Figure 2: Alerts from the execution of secretsdump.py.

The image below shows alerts triggered by the execution of smbexec.py, reflecting similar patterns to those observed with wmiexec.py.

Detecting Impacket alerts from the execution of smbexec.py.
Figure 3: Alerts from the execution of smbexec.py.

Conclusion

Wazuh provides capabilities for detecting malicious activities related to Impacket, leveraging both out-of-the-box and custom rules to identify suspicious behavior. The built-in rules detect remote logon events and Windows cmd shell execution associated with Impacket. By creating custom rules tailored to specific attack indicators, we improved detection confidence, especially for high-risk activities such as credential dumping and lateral movement.

This blog post demonstrates how Wazuh serves as a valuable solution for threat detection, helping security teams detect stealthy attacks that mimic legitimate network behavior. Our previous blog posts listed below show how versatile Wazuh is in enhancing organizational defense strategies.

As attackers continue to evolve their methods, combining simulation exercises with real-time monitoring solutions like Wazuh ensures that organizations can stay ahead of emerging threats and improve their security posture.

References